Alerts

Alerts are the normalized, scored detections you triage day to day, available at /alerts for the queue and /alerts/:id for a single alert.

What it does

Each alert is a detection that has been normalized and scored, then stored in OpenSearch for fast search and filtering. Alerts carry a severity and a priority set by the platform's AI agents during enrichment and triage, so the highest-impact items surface first.

Every alert keeps an audit trail of status changes — from initial ingestion through enrichment, triage, escalation, and resolution — so you can always see how it reached its current state and who or what changed it.

Key actions

  • Filter the queue. Narrow /alerts by severity and status to focus on what matters. The same view powers the Escalation page, which shows only escalated alerts.
  • Open an alert. Select any row to open /alerts/:id with the full detection, enrichment, and triage context.
  • Mark seen. Clear unseen alerts so the rest of the team knows what has already been reviewed.
  • Escalate. Move an alert up the response chain (for example, escalate to L2) when it needs deeper human attention.
  • Follow the status history. Review the audit trail to understand each transition the alert has been through.

Severity and priority

Severity reflects how serious a detection is; priority reflects how urgently you should act. Both are assigned by AI agents as part of automated triage, not entered by hand, which keeps scoring consistent across high alert volumes. Use them together to order your queue.

How alerts roll up into incidents

Related alerts that appear to be part of the same activity are correlated into Incidents — grouped attack chains with their own severity and confidence. When triaging, check whether an alert already belongs to an incident before treating it in isolation.

Tips

  • Start from the highest severity and priority, then work down.
  • Mark seen as you go to keep unseen counts meaningful for the whole shift.
  • If an alert looks connected to others, pivot to its incident rather than resolving it alone.
Exact statuses, filters, and escalation tiers depend on your configuration. Confirm against your deployment.